InnoCraft

How to complete your privacy policy with Matomo analytics under GDPR

Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you how to complete your existing privacy policy by adding the parts related to Matomo in order to comply with GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information. This blog post contains public sector information licensed under the Open Government Licence v3.0.

Neither the GDPR official text or ICO are mentioning the words ‘privacy policy’. They use the words ‘privacy notice’ instead. As explained within our previous blog post about “How to write a privacy notice for Matomo”, the key concepts of privacy information are transparency and accessibility which are making the privacy notice very long.

As a result, we prefer splitting the privacy notice into two parts:

Privacy notice: straight to the point information about how personal data is processed at the time of the data collection. This is the subject of the our previous blog post.

Privacy policy: a web page explaining in detail all the personal data you are processing and how visitors/users can exercise their rights. This is the blog post you are reading.

Writing/updating your privacy policy page can be one of the most challenging task under GDPR.

In order to make this mission less complicated, we have designed a template which you can use to complete the privacy policy part that concerns Matomo.

1 – About Matomo

Note: this part should describe the data controller instead, which is your company. But as you may already have included this part within your existing privacy policy, we prefer here to introduce what is Matomo.

Matomo is an open source web analytics platform. A web analytics platform is used by a website owner in order to measure, collect, analyse and report visitors data for purposes of understanding and optimizing their website. If you would like to see what Matomo looks like, you can access a demo version at: https://demo.matomo.org.

2 – Purpose of the processing

Matomo is used to analyse the behaviour of the website visitors to identify potential pitfalls; not found pages, search engine indexing issues, which contents are the most appreciated… Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports for website owners to take action, for example changing the layout of the pages, publishing some fresh content… etc.

Matomo is processing the following personal data:

Pick up the one you are using:

Cookies

IP address

User ID

Custom Dimensions

Custom Variables

Order ID

Location of the user

And also:

Date and time

Title of the page being viewed

URL of the page being viewed

URL of the page that was viewed prior to the current page

Screen resolution

Time in local timezone

Files that were clicked and downloaded

Link clicks to an outside domain

Pages generation time

Country, region, city

Main Language of the browser

User Agent of the browser

This list can be completed with additional features such as:

Session recording, mouse events (movements, content forms and clicks)

Form interactions

Media interactions

A/B Tests

Pick up one of the two:

The processing of personal data with Matomo is based on legitimate interests, or:

The processing of personal data with Matomo is based on explicit consent. Your privacy is our highest concern. That’s why we will not process any personal data with Matomo unless you give us clear explicit consent.

3 – The legitimate interests

This content applies only if you are processing personal data based on legitimate interests. You need here to justify your legitimate interests to process personal data. It is a set of questions described here.

Processing your personal data such as cookies is helping us identify what is working and what is not on our website. For example, it helps us identify if the way we are communicating is engaging or not and how we can organize the structure of the website better. Our team is benefiting from the processing of your personal data, and they are directly acting on the website. By processing your personal data, you can profit from a website which is getting better and better.

Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

4 – Recipient of the personal data

The personal data received through Matomo are sent to:

Our company.

Our web hosting provider: name and contact details of the web hosting provider.

Note: If you are using the Matomo Analytics Cloud by InnoCraft the web hosting provider is “InnoCraft, 150 Willis St, 6011 Wellington, New Zealand“.

5 – Details of transfers to third country and safeguards

Matomo data is hosted in Name of the country.

If the country mentioned is not within the EU, you need to mention here the appropriate safeguards, for example: our data is hosted in the United States within company XYZ, registered to the Privacy Shield program.

Note: The Matomo Analytics Cloud by InnoCraft is currently hosted in France. If you are using the cloud-hosted solution of Matomo, use “France” as name of the country.

6 – Retention period or criteria used to determine the retention period

We are keeping the personal data captured within Matomo for a period of indicate here the period.

If you are processing personal data with Matomo based on explicit consent:

As Matomo is processing personal data on explicit consent, you can exercise the following rights:

Right of access: you can ask us at any time to access your personal data.

Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.

Right to portability: you can ask us at any time for a copy of all the personal data we are processing about you in Matomo.

Right to withdraw consent: you can withdraw your consent at any time by clicking on the following button.

8 – The right to withdraw consent at any time

If you are processing personal data under the consent lawful basis, you need to include the following section:

You can withdraw at any time your consent by clicking here (insert here the Matomo tracking code to remove consent).

9 – The right to lodge a complaint with a supervisory authority

If you think that the way we process your personal data with Matomo analytics is infringing the law, you have the right to lodge a complaint with a supervisory authority.

10 – Whether the provision of personal data is part of a statutory or contractual requirement; or obligation and possible consequences of failing to provide the personal data

If you wish us to not process any personal data with Matomo, you can opt-out from it at any time. There will be no consequences at all regarding the use of our website.

11 – The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences

Matomo is not doing any profiling.

That’s the end of our blog post. We hope you enjoyed reading it and that it will help you get through the GDPR compliance process. If you have any questions dealing with this privacy policy in particular, do not hesitate to contact us.

Share this post

Subscribe to our newsletter to receive regular information about Matomo. You can unsubscribe at any time from it. This service uses MadMimi. Learn more about it within our privacy Policy page.

Become a partner

Privacy

Sign up for our newsletter

We are constantly adding new features and content to the leading All-In-One Analytics Platform that gives you control over your data. If you want to stay up to date with everything that is happening, feel free to subscribe below. You can unsubscribe at any time from it. The newsletter service uses MadMimi. Learn more about it within our privacy Policy page.